How should I index the 100 billion log

woon_minika · April 26, 2018, 11:17pm

Hi,

I have multi services which generating at least 2 million of log message per day, I’m using logstash to form a doc and I create new index for every new day log, but I’m feeling it should have better way to handle it? Should I put all the log into one index regardless how many day? And make it 30 shards

warkolm · April 27, 2018, 2:45am

No, use time based indices.

woon_minika · April 27, 2018, 3:40am

Hi Markolm,

If I just want to have one month logs rotation, Should my logstash ouput like this :
elasticsearch {
hosts => "127.0.0.1:9200"
manage_template => false
index => "appslog-%{+dd}"
}

warkolm · April 27, 2018, 3:48am

Almost, you just need to adjust the time parameter, see https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-index

system · May 25, 2018, 3:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash creating day based indexes Logstash	5	1138	July 6, 2017
Best practice for indexing a daily log Logstash	2	1738	March 4, 2018
Disable index rotation in logstash Logstash	6	2313	July 6, 2017
Clarification on index by day and automatically closing them Elasticsearch	3	467	December 16, 2016
Is it possible to create two index for the same day using logstash templete Logstash	8	766	September 25, 2019

How should I index the 100 billion log

Related topics